This page was created to track some work in progress. See the mitigations man page for current information (although it does not currently document kernel memory permissions).
Technique |
HEAD rev / patch |
Prevent memory access in privileged modes |
|
amd64 Supervisor Mode Access Prevention (SMAP) |
|
arm64 Privileged Access Never (PAN) |
|
Prevent execution in privileged modes |
|
amd64 Supervisor Mode Execution Prevention (SMEP) |
|
arm64 Privileged Execute Never (PXN) |
|
Limit permissions on kernel memory |
|
Direct map |
|
Kernel stacks |
|
Recursive page table mappings |
|
Kernel .text, .data, .bss |
|
UMA and malloc(9) |
|
pipe_map and exec_map |
|
Kernel module .text, .data, .bss |
|
The topic was discussed at the August 2017 Cambridge Summit - notes at DevSummit/201708/Security_mitigation